Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 09 Oct 2014 01:09:19 +0200
From: Sven Kieske <svenkieske@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Thoughts on Shellshock and beyond

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08.10.2014 23:53, Tracy Reed wrote:
> While it is too late for our hardware etc. perhaps strong type
> systems such as found in Haskell can help here? It is known to be
> very good at avoiding undefined or unexpected runtime behavior. Too
> late also for current languages to have this bolted on but if
> anyone wanted to write "secure" software I'd be looking at
> languages which provide some more guarantees. Too late for bash 
> also, of course which I suppose points us back at the original
> problem.


Well, for web frameworks, just take yesod (http://www.yesodweb.com/
written in haskell) as an example. to quote their site:
"Turn runtime bugs into compile-time errors"

I still think, this is the right direction, yes it's painful.
But it's a real solution to a real (huge) fraction of the problem.

Imho of course, please enlighten me with some counter arguments.
Oh, here is one from myself:

vendors are not liable, not even for the most serious
software bugs. so there is no incentive for them to make
better software.

the software industry is afaik the only one which is not liable
if they fuck their very own products up.

do this if you're building skyscrapers, cars, medical
equipment, anything, and you go to jail.

the funny part is, these businesses do rely on software
today, so if there's a bug, let's say in some construction
software and no one notices, the skyscraper architect might
get sued and go to jail, but not the programmer/vendor
who wrote that shitty code.

Software is too important to not have any rules in place.
This was okay until the 90s (maybe), but not in the 21st
century.

regards

Sven

PS: fun fact, the only thing you _will_ get sued for are:
software patents
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBAgAGBQJUNcQfAAoJEAq0kGAWDrqlKuQL/28ye2bJ8Ry9anTpfptPr8yL
mSHDcQHnuKFJtVkg6bJJb0SQURJNM2djUYSUZoKCvYpyssE4B+vCgHXqN3Kf0ehz
iv0Q3LPgSHAk7a+Yj+QR3uW7r+CvH7I4BI28+OYpOe5SOzSlcMG/Lulmez18mJ5K
G7iOc0EB6RTT4EUrGrpAd9cSjgBgFupkvl1bgaL0UVkPqw3qpXBaWf3LULjQ60z8
qmcW9yihMSr3rT7LCtO3RYDgzFK3GSltTMYDe1jVzlbtYl6FJNZnSzssSV6OfhFG
vqbmPxwtf3AXZrRTLMF+HXYr5YZiQa0jYo41E2h/tKBTNty7C5cw7PMmQVFPY9QR
HfNBhWNj2fz8wLSPGcnFXw9Raz6616Z5gcaZVDwrbkWe7O8AOkiunJd91FRbnK1X
V4bV/gOlfAVmOXegHdcWlUJYPNHQIHD3DU895A5OAGLuptipAvKiNagNahHonw+S
SVoJvE5nrmPCoIjo3Z0ovLieSKa0+61G9cFu955fpQ==
=/D4K
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.